peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
https://book.hacktricks.xyz
Other
16.12k stars 3.1k forks source link

SeImpersonatePrivilege Local Privilege Escalation #13

Closed morro91 closed 4 years ago

morro91 commented 4 years ago

A good one for Windows privilege escalation, if they have the SeImpersonatePrivilege privilege enabled, the can get to SYSTEM access.

https://www.exploit-db.com/exploits/31667 https://hunter2.gitbook.io/darthsidious/privilege-escalation/juicy-potato https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

Some very POC code below:

whoami /priv | find "Enabled" | find "SeImpersonatePrivilege" && set expl=yes

carlospolop commented 4 years ago

Hi @morro91,

Thank you very much for your suggestion. If you take a look to the output of winpeas.bat you can see that all the privileges that can be used to escalate privileges are mentioned just before executing whoami /all (so the user should look for them). I think that it is better to mention them and then print all the output of whoami /all because more interesting things can be found in the output of that execution apart of the privileges. What do you think?

In winpeas.exe all the privileges that can be used to escalate privileges are printed in red.

morro91 commented 4 years ago

ahhh must've skimmed over the output and missed that. cool cool, very nice :)